dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
16199
share rss forum feed


Cliffb

@vf.net.nz

USG 20 vpn - struggling to get this to work

Hi

I am very new to the USG 20 and struggling to get a remote client to site vpn working.

I am not too bothered if its IPsec or ssl, which ever works.

What I want to setup is a windows 7 pc to connect to the remote network to have access to the remote lan, sounds simple, but I am missing something.
I used the wizard to create the vpn config (IPsec) with a shared key. now I have set the win 7 client up to connect with that key, it then asks for user/password, but I am not sure where to assign users to have access to the vpn,

I am also not sure in the wizard what needs to go in the remote policy ip/mask, do I leave that at 0.0.0.0 /255.255.255.0
I have the latest firmware on this device so some of the manual I have seems to differ.

So My question(s) are

1. the vpn wizard what info do I need for the remote policy
2. how do assign users to have access through the tunnel
3. anything else I need to know to get this working

cant seem to find anything step by step that works....help please!

thanks
Cliff



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

For Windows you need L2TP VPN.
Check the manual page 85++ and page 91++ »ftp://ftp.zyxel.com/ZyWALL_USG_20/user···_Ed1.pdf

Additional info
Support note »ftp://ftp.zyxel.com/ZyWALL_USG_20/supp···3.00.pdf
This may be also helpful »L2TP VPN on USG - quick how-to


hyde1

join:2012-11-16
reply to Cliffb

Cliff, good luck with this.
I am on the same boat, I followed everything on the PDF (including replicating what is explained in the video that's embedded in the PDF) to the dot, yet I still cannot connect to VPN.
I keep getting this error 787 on my Win 7 Pro, and when I check the log, I see this:

»gyazo.com/b7e1f151b8921ba8ed3171···53563794

Obviously I am connecting to the ZyWall but for some reason it is not letting me in. Shared Key and User Password is same 12345678, cannot be a typo. Is there anything we need to do on the firewall?


speedyb
Premium
join:2012-11-20
netherlands

1 edit

I was also struggling to get this to work. I had 2 things I wanted to get working. And that was site2site and L2TP at the same time. And that is not really the way to go, as explained by Brano...

With that in mind I focussed on only one thing at the time. And now have both working.

Below is all I have set for the L2TP VPN to get it working.

VPN Gateway
* L2TP_GW (for client l2tp connections)
   - My Address => Interface: wan1
   - Peer Gateway Address ==> Dynamic Address
   - Authentication ==> Pre-Shared Key: 1234567890
   - Phase1 settings ==> proposal:
             3DES, MD5
             3DES, SHA1
             DES, SHA1
   - Phase1 settings ==> Key group: DH2
 
VPN Connection
* L2TP_VPN (For the client L2TP connections)
   - VPN Gateway ==> Application Scenario: Remote Access (Server Role)
   - VPN Gateway ==> VPN Gateway: L2TP_GW
   - Policy ==> Local policy: WAN_Interface (Create new INTERFACE IP of wan1)
   - Related Settings ==> Zone: IPSec_VPN
   - Phase2 settings ==> proposal:
             3DES, SHA1
             3DES, MD5
             DES, SHA1
 
L2TP VPN
   - VPN Connection: L2TP_VPN
   - IP Address Pool: L2TP_Pool (Create new range or subnet)
   - Authentication method: Default
   - Allowed User: VPN_Users (Group with different users with VPN Rights)
 
Routing (Policy)
* From L2TP_Pool to Any Allow Any NextHop:SYSTEM_DEFAULT_WAN_TRUNK
* From Any to L2TP_Pool Allow Any Nexthop:L2TP_VPN
 


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

1 edit
reply to Cliffb

To hyde1 See Profile I have 6 site-to-site tunnels running and one L2TP from android simultaneously ... all working fine.
I have to admit I've not tested Win7 as L2TP client (but will do sometime). So if your L2TP is not working it's mostly issue on Win7 side I'd say or the ciphers you've chosen on USG are not compatible with what Win7 is proposing to use.


hyde1

join:2012-11-16
reply to Cliffb

Thanks Speedy and Brano, will try above step-by-step.
I wish the log would provide a bit more details on what is preventing VPN connection from being established. It just says authentication failed, I know user/password is correct, passphrase is also correct. Can I try using certificate? How does that work?

I now have bunch of VPN's which I am deleting.
Also would any changes to WIZ_VPN_PROVISIONING or any other objects? I assume if they are not used by the L2TP it should be OK? Or should I just get rid of all default objects that I may have modified while trying to get this to work?

I can also try my wife's old Vista laptop to see if the problem is 7 or not. I have no Android or iOS device. I have a Playbook, I can check if it has VPN support.


hyde1

join:2012-11-16

1 edit
reply to speedyb

Speedy,

VPN Connection:
[x] Use Policy Route to control dynamic IPSec rules
[ ] Ignore "Don't Fragment" setting in IP header
I have their check state as above, are these same in yours?

- Policy ==> Local policy: WAN_Interface (Create new INTERFACE IP of wan1) I have a new object as L2TP_IFACE2 pointing to WAN IP.

Also my Encapsulation: was set to Tunnel as default, I hate to change that.

L2TP VPN:
You mentioned VPN Connection: L2TP_GW
I can choose L2TP_VPN, which is what you have on your pdf.

I had a warning once before:
CLI Number: 0
Warning Number: 59003
Warning Message: 'Crypto Map should not be Tunnel Mode.'

Even with all above, I still have problem connecting.
I have a suspicion that the problem could be the routing screen. Can you post your routing screen settings instead of just routing?

Mine looks like (ignore the typo) :
»gyazo.com/0c0cde5863730b600e509d···53648056

And it looks like you have 2, I only have One in my Routing menu.
I added 2 more it looks like this, still cannot connect:
»gyazo.com/c81072b934dd026a953d90···53648394


speedyb
Premium
join:2012-11-20
netherlands

Click for full size
downloadZyxel - L2TP···nfig.pdf 864,030 bytes
Updated L2TP Config Screenshots
said by hyde1:

VPN Connection:
[x] Use Policy Route to control dynamic IPSec rules
[ ] Ignore "Don't Fragment" setting in IP header
I have their check state as above, are these same in yours?

I have the same setting

said by hyde1:

- Policy ==> Local policy: WAN_Interface (Create new INTERFACE IP of wan1) I have a new object as L2TP_IFACE2 pointing to WAN IP.

That should do it.

said by hyde1:

Also my Encapsulation: was set to Tunnel as default, I hate to change that.

That is correct, it was in my screenshots

said by hyde1:

L2TP VPN:
You mentioned VPN Connection: L2TP_GW
I can choose L2TP_VPN, which is what you have on your pdf.

I have corrected it.

said by hyde1:

I had a warning once before:
CLI Number: 0
Warning Number: 59003
Warning Message: 'Crypto Map should not be Tunnel Mode.'

I the monitoring screen under log I get a lot of IKE messages
See the last page in the newly uploaded PDF file

I have also added the routing pages to the PDF.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

For L2TP please check this complete guide »L2TP VPN on USG - quick how-to
The only change that may be needed is changing ciphers to work with Win7.

Don't combine/mix your 'VPN connection' and 'VPN Gateway' between your L2TP and Site-to-site tunnels. Create separate rules for each type of VPN. There are different settings for each VPN type i.e. L2TP is using Transport mode and site-to-site is using Tunnel mode in phase2.

Ensure that "Ignore "Don't Fragment" setting in IP header" is checked. There seems to be bug in FW, see my issues here »Can't access USG web via VPN


hyde1

join:2012-11-16

said by speedyb:

I have also added the routing pages to the PDF.

Thanks speedyb,
You forgot to add a link to new the PDF.

said by Brano:

For L2TP please check this complete guide »L2TP VPN on USG - quick how-to
The only change that may be needed is changing ciphers to work with Win7.

You mean Encryption/Authentication? Using 3DES/AES128 instead of the others?


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

Yes. I believe the ciphers should work as they are, but if not try to match these »technet.microsoft.com/en-us/libr···%29.aspx


speedyb
Premium
join:2012-11-20
netherlands
reply to hyde1

said by hyde1:

You forgot to add a link to new the PDF.

It is attached to the second post. same name but new version.

hyde1

join:2012-11-16

said by speedyb:

It is attached to the second post. same name but new version.

Yep, just noticed it now, I was still looking at your old PDF in my history. Thanks.

hyde1

join:2012-11-16
reply to Brano

Thank you. When I changed the Enc/Auth as per your screen shots, I get pass the initial Connecting to x.x.x.x screen, saying "Opening Port..." "Port Opened" and then I get back to Connecting to x.x.x.x via WAN Miniport, then it gives me 787 error again. I already disabled my laptop's firewall, I also tried disabling ZyWall's firewall to make sure there is nothing blocking me. Does not help.

I assume it is not a WAN or IP problem? If I want to try another method, trying to connecting using Cable connection, what do I need to forward on Time Warner's cable modem so that the request gets routed to Zywall. I am being assigned by TWC's Router 192.168.0.100 IP address. Maybe there is a problem with T1's CISCO equipment blocking VPN.


speedyb
Premium
join:2012-11-20
netherlands

What do you seen in the log on the ZyWall?

Could you post it here?



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe
reply to hyde1

said by hyde1:

I assume it is not a WAN or IP problem? If I want to try another method, trying to connecting using Cable connection, what do I need to forward on Time Warner's cable modem so that the request gets routed to Zywall. I am being assigned by TWC's Router 192.168.0.100 IP address. Maybe there is a problem with T1's CISCO equipment blocking VPN.

Are you saying that you don't have public IP on ZyWall's WAN interface? If correct then you're behind NAT and that complicates things.

Based on your descriptions you have two internet connections. If at least one of them gives you public IP on USG WAN interface try setting up your VPN there.

hyde1

join:2012-11-16
reply to speedyb

said by speedyb:

What do you seen in the log on the ZyWall?

Could you post it here?

»gyazo.com/b7e1f151b8921ba8ed3171···3b10.png

hyde1

join:2012-11-16
reply to Brano

said by Brano See ProfileAre you saying that you don't have public IP on ZyWall's WAN interface? If correct then you're behind NAT and that complicates things.

Based on your descriptions you have two internet connections. If at least one of them gives you public IP on USG WAN interface try setting up your VPN there.

:

One is dynamic WAN IP assigned to Time Warner's cable model, which in turn assigns an internal dynamic IP to Zywall
The other is T1, static IP assigned directly to Zywall (I guess their Cisco box is in bridge or gateway mode since it uses another static IP off our pool and acts as gateway)

I was concerned that T1's Cisco box is blocking some incoming connections, and I wanted to try Time Warner's Cable connection. I would have to check if they offer bridge mode on their equipment so maybe I can get a dynamic IP assigned directly to Zywall instead of their modem, so I can try connecting through that.


speedyb
Premium
join:2012-11-20
netherlands

Now with the download link: »ftp://ftp2.zyxel.com/ZyWALL_IPSec_VPN_···1.71.zip


speedyb
Premium
join:2012-11-20
netherlands

1 recommendation

reply to hyde1

I see in your log not that Phase one is successful so we have to focus on the Fase1 settings.. Either the encoding or the PSK is not correct, but I bet it is the encryption settings.

If I understand this page:»support.microsoft.com/kb/325158 microsoft uses 3DES/SHA1 with ESP and no Authentication Header.

So your encryption should include the 3DES with SHA1.

Have you tried the ZyXel VPN Client? »www.zyxel.com/products_services/···html?t=p
Maybe this will work, and can you find more logging from the client side.


hyde1

join:2012-11-16

said by speedyb:

I see in your log not that Phase one is successful so we have to focus on the Fase1 settings.. Either the encoding or the PSK is not correct, but I bet it is the encryption settings.

If I understand this page:»support.microsoft.com/kb/325158 microsoft uses 3DES/SHA1 with ESP and no Authentication Header.

So your encryption should include the 3DES with SHA1.

Have you tried the ZyXel VPN Client? »www.zyxel.com/products_services/···html?t=p
Maybe this will work, and can you find more logging from the client side.

1) Can I disable encryption all together and try just to try if it is working?

2) I was under the impression that the VPN client requires license. I noticed you also posted link to client above with download link.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

That VPN client is mostly for connecting to old ZyNOS ZyWall series that don't have L2TP VPN. The ZLD ZyWall series (USG) can connect directly with windows native L2TP client.


speedyb
Premium
join:2012-11-20
netherlands

1 recommendation

reply to hyde1

said by hyde1:

1) Can I disable encryption all together and try just to try if it is working?

You can try by making the encryption optional, and remove the encryption in the GateWay, but I don't know if it will work.

Let us know

said by hyde1:

2) I was under the impression that the VPN client requires license. I noticed you also posted link to client above with download link.

On the Zyxel page there is the download link on the left hand side. So I don't know. But I think it can be used to troubleshoot the IPSec part. Because there it seems failing.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

For whatever it's worth, I've setup a Win7 VM and trying L2TP to USG50.
I can't get past Phase 2. Phase 1 is successful, Phase 2 is "proposal mismatch, no proposal chosen" and I've tried pretty much all proposal combinations.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

1 edit

OK, got connected from Win7 to USG50 using native Win7 VPN client.

Phase 1 settings:
SA Life Time: 180 or higher
Mode: Main
Proposal: 3DES-SHA1
Key Group: DH2
NATT: Yes
DPD: Yes (optional)

Phase 2 settings:
SA Life Time: 3600 or higher
Protocol: ESP
Encapsulation: Transport
Proposal: AES128-SHA1, 3DES-SHA1
PFS: none
Replay Detection: Yes (optional)
NetBIOS broadcast over IPSec: Yes (optional)

These settings seems to be working for Andorid 4.0 L2TP VPN as well.


hyde1

join:2012-11-16
reply to Cliffb

After following Brano's quick how-to, and using default Win7 dialer, I am testing the VPN from my office using a router that is actually connected to LAN2. The VPN is still going over internet then coming back to Zywall and it seems to work fine. I will try again when I get home, hopefully it is not a glitch that is allowing VPN to work.

I have one question, though. Even though I get connected, I cannot see any of the other computers on my network. Would I have to change LAN_L2TP to same subnet as my other computers? Even when I did that I couldn't see other network devices or shares.


hyde1

join:2012-11-16
reply to Brano

Update: I got home, and I can connect to VPN (Hurray!) But I see the same behavior, I cannot see any office workstations or network connected equipment (I was hoping I could print through VPN).

It also disables my WiFi internet connection, while it is still connected, I cannot load any websites. I could expect something like this if I had both wired and wireless connections (like I mentioned in another topic) but I only have Wifi and VPN over Wifi. I should still be able to go online even if I did not enable going online through VPN, right?



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

1 edit

Re-read this thread »L2TP VPN on USG - quick how-to and ensure you have all Firewall and Policy rules setup correctly.

Also ensure all your LAN PC firewalls allow access from your L2TP_VPN_IP_POOL


speedyb
Premium
join:2012-11-20
netherlands
reply to Brano

Brano,

I have now on one of the Zyxels a similar problem. But in my case I see it connecting to the wrong gateway. (For the Site to Site) and not to the one configured in the L2TP.

Any Ideas? Or did you see the same thing in your logging?

Regards,

Bas



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

If it's connecting to wrong gateway that means you must have similar gateway configured with very similar settings. Try to change the gateway in some way ... use different PSK or certificate, different CN in certificate possibly different Phase 1.